change to namespaced resources as much as possible.

Author: zetxqx

config/charts/inferencepool/templates/gke.yaml

@@ -38,10 +38,14 @@ spec:
 {{- if .Values.inferenceExtension.monitoring.gke.enabled }}
 {{- $saName := printf "%s-metrics-reader-sa" .Release.Name -}}
 {{- $secretName := printf "%s-metrics-reader-secret" .Release.Name -}}
-{{- $clusterRoleName := printf "%s-%s-metrics-reader" .Release.Namespace .Release.Name -}}
-{{- $clusterRoleBindingName := printf "%s-%s-metrics-reader-role-binding" .Release.Namespace .Release.Name -}}
-{{- $secretReadClusterRoleName := printf "%s-%s-metrics-reader-secret-read" .Release.Namespace .Release.Name -}}
-{{- $gmpCollectorRoleBindingName := printf "gmp-system:collector:%s-%s-metrics-reader-secret-read" .Release.Namespace .Release.Name -}}
+{{- $roleName := printf "%s-metrics-reader" .Release.Name -}}
+{{- $roleBindingName := printf "%s-metrics-reader-role-binding" .Release.Name -}}
+{{- $secretReadRoleName := printf "%s-metrics-reader-secret-read" .Release.Name -}}
+{{- $gmpNamespace := "gmp-system" -}}
+{{- if .Values.inferenceExtension.monitoring.gke.autopilot -}}
+{{-   $gmpNamespace = "gke-gmp-system" -}}
+{{- end -}}
+{{- $gmpCollectorRoleBindingName := printf "%s:collector:%s-%s-metrics-reader-secret-read" $gmpNamespace .Release.Namespace .Release.Name -}}
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -61,9 +65,10 @@ metadata:
 type: kubernetes.io/service-account-token
 ---
 apiVersion: monitoring.googleapis.com/v1
-kind: ClusterPodMonitoring
+kind: PodMonitoring
 metadata:
-  name: {{ .Release.Namespace }}-{{ .Release.Name }}
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "gateway-api-inference-extension.labels" . | nindent 4 }}
 spec:
@@ -78,15 +83,14 @@ spec:
         secret:
           name: {{ $secretName }}
           key: token
-          namespace: {{ .Release.Namespace }}
   selector:
     matchLabels:
       {{- include "gateway-api-inference-extension.selectorLabels" . | nindent 8 }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ $clusterRoleName }}
+  name: {{ $roleName }}
 rules:
 - nonResourceURLs:
   - /metrics
@@ -96,20 +100,20 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ $clusterRoleBindingName }}
+  name: {{ $roleBindingName }}
 subjects:
 - kind: ServiceAccount
   name: {{ $saName }}
   namespace: {{ .Release.Namespace }}
 roleRef:
   kind: ClusterRole
-  name: {{ $clusterRoleName }}
+  name: {{ $roleName }}
   apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
-  name: {{ $secretReadClusterRoleName }}
+  name: {{ $secretReadRoleName }}
 rules:
 - resources:
   - secrets
@@ -118,16 +122,17 @@ rules:
   resourceNames: [{{ $secretName | quote }}]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: {{ $gmpCollectorRoleBindingName }}
+  namespace: {{ .Release.Namespace }}
 roleRef:
-  name: {{ $secretReadClusterRoleName }}
-  kind: ClusterRole
+  name: {{ $secretReadRoleName }}
+  kind: Role
   apiGroup: rbac.authorization.k8s.io
 subjects:
 - name: collector
-  namespace: gmp-system
+  namespace: {{ $gmpNamespace }}
   kind: ServiceAccount
 {{- end }}
 {{- end }}

config/charts/inferencepool/values.yaml

@@ -53,6 +53,8 @@ inferenceExtension:
 
     gke:
       enabled: false
+      # Set to true if the cluster is an Autopilot cluster.
+      autopilot: false
 
 inferencePool:
   targetPorts: